CVE-2025-54290

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54290

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-54290.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-54290

Aliases

Downstream

DEBIAN-CVE-2025-54290

DSA-6027-1

UBUNTU-CVE-2025-54290

Published

2025-10-02T10:15:39Z

Modified

2025-11-05T19:58:35.042812Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Information disclosure in image export API in Canonical LXD before 6.5 and 5.21.4 on Linux allows network attackers to determine project existence without authentication via crafted requests using wildcard fingerprints.

References

https://github.com/canonical/lxd/security/advisories/GHSA-p3x5-mvmp-5f35

Affected packages

Git / github.com/canonical/lxd

Affected ranges

Type: GIT
Repo: https://github.com/canonical/lxd
Events: Introduced

03aab09f5b5cbdada00c6539877dcf5932fcde98

Fixed

0494f5d47e41af69a8374568c0cb8b3eefd72a6a

Affected versions

lxd-4.*

lxd-4.0.0

lxd-4.1

lxd-4.10

lxd-4.11

lxd-4.12

lxd-4.13

lxd-4.14

lxd-4.15

lxd-4.16

lxd-4.17

lxd-4.18

lxd-4.19

lxd-4.2

lxd-4.20

lxd-4.21

lxd-4.22

lxd-4.23

lxd-4.24

lxd-4.3

lxd-4.4

lxd-4.5

lxd-4.6

lxd-4.7

lxd-4.8

lxd-4.9

lxd-5.*

lxd-5.0.0

lxd-5.1

lxd-5.10

lxd-5.11

lxd-5.12

lxd-5.13

lxd-5.14

lxd-5.15

lxd-5.16

lxd-5.17

lxd-5.18

lxd-5.19

lxd-5.2

lxd-5.20

lxd-5.21.0

lxd-5.21.1

lxd-5.21.2

lxd-5.21.3

lxd-5.3

lxd-5.4

lxd-5.5

lxd-5.6

lxd-5.7

lxd-5.8

lxd-5.9

v5.*

v5.21.0